VYPR
Vypr IntelligenceAI-generatedJul 7, 2026· 9 CVEs

Radare2: Nine Local Vulnerabilities Disclosed Together, Exploits Publicly Available

Nine vulnerabilities in Radare2, disclosed July 5-7, 2026, include integer overflows, buffer overflows, and DoS flaws, with some exploits publicly available.

Key findings

  • Nine Radare2 vulnerabilities disclosed between July 5-7, 2026, affecting versions up to 6.1.6.
  • Multiple integer overflow and buffer overflow vulnerabilities require local access.
  • Several denial-of-service flaws include use-after-free and heap-based overflows.
  • Exploits for some CVEs are publicly available, increasing risk.
  • Radare2 version 6.1.6 contains patches for all disclosed vulnerabilities.

On July 5-7, 2026, a batch of nine vulnerabilities was disclosed for the Radare2 reverse engineering framework. These vulnerabilities, affecting versions up to 6.1.6, primarily involve local privilege escalation and denial-of-service (DoS) flaws. The disclosures highlight weaknesses in core components, including string manipulation functions, command handlers, and binary format parsers. The majority of these issues were reported on July 7th, with a few preceding them on July 5th and 6th.

Several CVEs stem from integer overflow vulnerabilities. CVE-2026-14787 impacts the cmd_print function within libr/core/cmd_print.inc, while CVE-2026-14761 and CVE-2026-14786 affect string utility functions in libr/util/str.c. Additionally, CVE-2026-14758 involves an integer overflow in the hexpairs parser's cmd_anal_opcode function. These integer overflows, all requiring local access, could lead to unexpected behavior or potential crashes.

Further complicating the security posture of Radare2, a stack-based buffer overflow was identified in the Memory64ListStream Parser component, specifically within the mdmp.c file, detailed in CVE-2026-14789. This vulnerability also necessitates local access for exploitation.

The batch also includes several denial-of-service vulnerabilities. CVE-2026-14788 and CVE-2026-14760 are described as use-after-free vulnerabilities, with the former affecting the r_core_bin_load function and the latter being a general local use-after-free flaw. CVE-2026-14759 is a heap-based buffer overflow, also leading to a denial of service. These DoS vulnerabilities, all rated low severity, could be exploited by local attackers to crash the application.

One CVE, CVE-2026-14757, is classified as moderate severity and involves an integer overflow with local impact. The descriptions for several of these vulnerabilities, including CVE-2026-14787, CVE-2026-14761, CVE-2026-14786, and CVE-2026-14758, explicitly state that exploits have been publicly disclosed and may be used for attacks.

The Radare2 project has addressed these vulnerabilities in version 6.1.6. Users are strongly advised to update to this version or later to mitigate the risks associated with these security flaws. The coordinated disclosure of these nine CVEs underscores the importance of timely patching and awareness of potential local attack vectors within the Radare2 ecosystem.

The vulnerability disclosures indicate that Radare2 versions up to 6.1.6 are affected. The patched version is 6.1.6. Multiple vulnerabilities are related to integer overflows. Several vulnerabilities are related to denial of service (use-after-free, heap overflow). Exploits for some of these vulnerabilities have been publicly disclosed. All reported vulnerabilities require local access for exploitation.

AI-written article. Grounded in 9 CVE records listed below.